Last week, the Ninth Circuit reversed a Nevada district court’s dismissal, for lack of Article III standing, of plaintiffs’ claims arising out of a data breach.[1]  In so holding, the Ninth Circuit reaffirmed its position on one side of a circuit split on the issue of standing to bring suit based on a substantial risk of identity theft or fraud resulting from a data breach, even in the absence of allegations that the risk actually materialized,[2] an issue that the Supreme Court recently declined to review.

The Ninth Circuit’s decision arose out of a 2012 data breach of the online retailer Zappos.com, affecting more than 24 million customers.  Although certain plaintiffs commenced lawsuits based on allegations that hackers had in fact used their personal information to conduct fraudulent financial transactions, the plaintiffs at issue in the Ninth Circuit’s decision alleged injury based solely on the hacking incident itself, without alleging any subsequent harm.[3]

In reaching its decision, the Ninth Circuit considered, for the first time since the Supreme Court’s decision in Clapper v. Amnesty International,[4] whether its prior holding in Krottner v. Starbucks Corp.[5]where the Ninth Circuit found that allegations of future harm resulting from the theft of a laptop containing personal information was sufficient to confer standing—remained good law.  The court rejected Zappos’ argument that Krottner was overruled by the Supreme Court’s holding in Clapper that an “objectively reasonable likelihood” of interception under the Foreign Intelligence Surveillance Act was insufficient to confer standing in that case.  Instead, the court found that the Supreme Court’s decision, which hinged on the speculative nature of the plaintiffs’ alleged risk of future harm, was not inconsistent with the Circuit’s prior holding in Krottner, where the risk of future harm “did not require a speculative multi-link chain of inferences” because the information necessary to commit identity theft in the future had already been “intercepted.”[6]  The court concluded that the claims arising out of the Zappos breach were analogous to those in Krottner, and that plaintiffs alleged a “credible threat of real and immediate harm” sufficient to confer standing under Article III.[7]  Among other considerations, the court cited the fact that certain plaintiffs—whose claims were upheld by the district court—had indeed alleged financial losses arising from the same data breach incident as further support for the substantial likelihood of harm resulting from the breach alone.  Thus, the court concluded that the plaintiffs at issue in the instant case had sufficiently alleged an injury in fact and remanded to the district court.

Against the backdrop of the Supreme Court’s apparent reluctance to issue further guidance on Article III standing in the data breach context, the Zappos decision reaffirms the Ninth Circuit’s plaintiff-friendly posture in data breach litigation where a plaintiff has yet to suffer from subsequent identity theft or fraud, but can assert a substantial risk of future harm.  As such, the Ninth Circuit and other circuits with more plaintiff-friendly standing jurisprudence may see an increase in lawsuits initiated by plaintiffs seeking to recover for data breach incidents and who are able to assert jurisdiction and venue in those courts.


[1] See In re Zappos.com, Inc., No. 16-16860, 2018 WL 1189643 (9th Cir. Mar. 8, 2018).

[2]  As described in our prior memorandum and recent blog post, on one side of the split, the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits have found allegations of data theft with the attendant risk of future harm sufficient to confer Article III standing and, on the other side, the Second, Fourth, and Eighth Circuits have found that allegations based solely on the risk of future harm are insufficient to satisfy Article III’s injury requirements.

[3] The district court ruled that the first group of plaintiffs had standing based on their allegations that “actual fraud occurred as a direct result of the breach,” whereas the second group of plaintiffs did not have standing because they “failed to allege instances of actual identity theft or fraud.”  See In re Zappos.com, Inc. MDL No. 2357, 2016 WL 2637810, at *4-6 (D. Nev. May 6, 2016), reconsideration denied sub nom. Zappos.com, Inc., No. 3:12-CV-00325, 2016 WL 4521681 (D. Nev. Aug. 29, 2016), and rev’d and remanded, No. 16-16860, 2018 WL 1189643 (9th Cir. Mar. 8, 2018).

[4] 568 U.S. 398 (2013).

[5] 628 F.3d 1139 (9th Cir. 2010).

[6] In re Zappos.com, 2018 WL 1189643, at *3-4.

[7] Id. at *5.